| Age | Commit message (Collapse) | Author |
|---|
|
|
|
there isn't a single codepath where it can remain uninitialized, but this
might prevent a stupid bug if we change something later
|
|
inspired by mpech@ pointing out a missing free(buf). so handle the
it-is-an-interface case where we don't need the buf before allocating memory.
|
|
use inet_net_pton to parse IP adresses.
stuff like
block in from 10/8 to any
works now.
some input camield@ and dhartmei@
ok dhartmei@, camield@, mcbride@
|
|
|
|
|
|
|
|
committed this was broken, only the first IP address was returned.
pointed out by danh@, who sent an excellent bug report.
ok dhartmei@
|
|
set require-order [yes|no]
default is yes.
with set to "no", it isn't required to have the rules in order (options,
scrub, nat, filter) any more, though of course NATing still happens before
filtering and so on, so one has to take care.
ok camield@ mcbride@ dhartmei@
idea discussed with a whole lotta more people and basically ok for everyone ;-)
|
|
noone who wrote "flags S" meant that, but actually something like "flags
S/SA". with "flags S" changing its actual meaning as more flags got
supported, things got worse.
ok dhartmei@, pb@
|
|
- move unmask code to correct file
- whitespace
ok mcbride@ dhartmei@
|
|
dhartmei@ ok
|
|
arguments to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
is applied immediately to the address.
This way, the parsed rules output shows exactly which bits of an
address are significant for a match and errors due to wrong netmasks
can be spotted more easily.
Example:
$ pfctl -nvf -
pass in on lo0 from 172.17.0.0/12 to any
@0 pass in on lo0 inet from 172.16.0.0/12 to any
idea refined by dhartmei@
ok frantzen@ henning@
|
|
ok dhartmei@ henning@
|
|
the valid range (also when they're not listed in /etc/protocols)
- explicitly disallow protocol number 0, because it has special meaning
to pf
ok dhartmei@ henning@
|
|
dhartmei@, henning@ ok
|
|
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
|
|
about unused macros.
ok dhartmei@ henning@
|
|
macros come out right in verbose mode and is less functional overhead.
Also err on whitespace after a backslash. That type of error is hard to
find otherwise.
ok dhartmei@ henning@
|
|
ok henning@
|
|
|
|
|
|
drop is default, same behaviour as before
support
block drop
to override a return policy
|
|
block return in|out ...
acts like return-rst on tcp, like return-icmp on udp and like an ordinary
block on anything else
ok dhartmei@
|
|
-new field "return_icmp6" in pf_rule
-parser accepts
block return-icmp(ipv4-icmpcode, ipv6-icmpcode)
ok and some input dhartmei@
|
|
instead of just testing return_icmp > 0
ok dhartmei@
|
|
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
|
|
several lines, no functional difference. From Camiel Dobbelaar.
|
|
becomes '@0 pass in from a to any @1 pass in from b to any' instead of
the other way around. Patch from Camiel Dobbelaar.
|
|
|
|
|
|
that's already handled earlier.
fast-forward on errnous lines
partitially from camield@, parts result of a discussion with Mike
ok frantzen@ dhartmei@
|
|
also block incoming packets with our own IP as src.
discussion & help frantzen
ok ho@ dhartmei@ frantzen@
|
|
|
|
no functional changes
ok pb@
|
|
noticed by <han@mijncomputer.nl>
ok pb@
|
|
|
|
don't take the af from host_node structs based on interface lookups, most
interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will
at least have one IP address specified from whoch we take the af for the
whole rule. The rare exceptional cases require the user to specify the af.
ok frantzen@
|
|
|
|
e. g.
antispoof log quick for { dc0, dc1 } inet
docs & regress coming
ok pb@, frantzen@, deraadt@
also looked over kjell@, markus@, itojun@, dhartmei@
IPv6 help itojun@
finally, a long story finds its happy end here.
|
|
-don't set netmask in host token handler
-clear netmask in ipmask() proper before setting it
-in ifa_load(), also store interface's netmask and broadcast address
-allow ifa_lookup() to return either the interface's IP address(es), network(s)
or broadcast address(es) - not used anywhere yet. This implies that
ifa_lookup() also returns the netmask now.
-host() returns netmasks, too
ok pb@, frantzen@, deraadt@
also looked over kjell@, markus@, itojun@, dhartmei@
|
|
behaviour noticed by Paul de Weerd, thanks!
ok dhartmei@
|
|
ok henning@
|
|
and null-terminate the interface name. Found by Michael Wallis.
ok henning@
|
|
errors on subsequent lines are reported with wrong line numbers.
From Paul B. Henson.
|
|
|
|
|
|
ok pb@
|
|
pointed out by mpech@
ok pb@
|
